The management system for AI (AIMS), synergistic with the EU AI Act and ISO 27001. Built by people who actually use AI, and govern it on themselves.
Quick self-qualification: do you recognise yourself in one of these?
You have AI in your product or processes and are starting to get questions from clients and partners.
Go to pathYou bid for EU grants and tenders where AI governance is starting to score points.
You want to get ahead of the EU AI Act with a recognised system, instead of catching up.
EU ComplianceISO/IEC 42001:2023 is the certifiable standard for an AIMS: an AI management system. It's recent (2023) and frames how an organisation governs the development and use of AI responsibly: risks, data, transparency, human oversight.
It's built on the same logic as ISO 27001, so it integrates well if you already have (or want) an ISMS.
The EU AI Act is a law (obligations for those who build/use AI, risk-based); ISO 42001 is a voluntary, certifiable standard that gives you a system to manage those obligations in an orderly way. They aren't the same thing, but an AIMS puts you in a far better position against the AI Act.
And because it shares the structure of ISO 27001, much of the security work is reused: no duplication.
Like ISO 27001: we support you from policy to internal audit; an accredited certification body, independent from us, runs the audit and issues the certificate. AI speeds up the documentation; experts validate.
And yes, we run this governance on ourselves too, so we know it works.
Preparation : a few months
Depending on your readiness, with logic similar to ISO 27001.
The body's audit : accredited body
Accredited bodies for 42001 are still few: we factor that into planning.
3-year cycle : with surveillance and recertification
Pricing is a range / on request because scope (how many and which AI systems) varies a lot.
We define timeline and price after a first conversation, based on the scope of your AI systems.
No. The EU AI Act is a law with risk-based obligations; ISO 42001 is a voluntary, certifiable standard that gives you a system to manage AI in an orderly way. They aren't equivalent, but an AIMS makes you far more prepared for the AI Act.
It depends. If you have AI in your product, client requests or EU grants that reward it, no: you're early, and that's an advantage. If you have none of those triggers, we'll say so honestly and wait with you.
Yes, very well: ISO 42001 shares ISO 27001's structure, so much of the risk and control work is reused. If you already have an ISMS, you start ahead; if not, we can build them together.
Increasingly, AI governance is starting to count in evaluation criteria. It's not automatic for every tender: we check the ones you care about and tell you whether ISO 42001 truly moves the needle for you.
An accredited certification body, independent from us, not BastionSec. We prepare and support you; the body assesses and issues it. Accredited bodies for 42001 are still few: we factor that into planning.
We use AI every day and govern its use on ourselves: we practise what we preach. For a young standard, working with people who understand AI in substance, not just the paperwork, makes the difference.
Similar logic to ISO 27001: a few months of preparation depending on readiness, then the body's audit, then a 3-year cycle with surveillance. Pricing is a range/on request because it depends on how many AI systems are in scope. We define it after a first conversation.
The guide to the AIMS standard: what it is, what it covers, how it connects to the EU regulatory frontier.
Read the guideThe ISMS the AIMS builds on: if you already have a security management system, you start ahead.
Learn moreGDPR, NIS2, DORA and the EU regulatory frontier, including the EU AI Act context.
Learn moreTell us your need: we check whether ISO 42001 makes sense for you now, and tell you honestly.